1

Usable security and the human in the loop

Michelle Mazurek

Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang

2

Today’s class

•  Introducing me

•  Introducing you

•  Human Factors for Security and Privacy?

•  Course policies and syllabus

•  The human in the loop

3

Who am I?

•  Michelle Mazurek (mmazurek@umd.edu)

•  Assistant professor, CS and UMIACS

•  Affiliated with MC2 and HCIL

•  Office hours: Tues 2-3 pm in AVW 3421, or by appointment

4

Who are you?

•  Preferred name

•  Academic program, adviser if applicable

•  Background in HCI (a lot, a little, none)

•  Background in security/privacy (a lot, a little, none)

•  Why this course?

5

Humans

“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations… But they are sufficiently pervasive that we must design our protocols around their limitations.”

−− C. Kaufman, R. Perlman, and M. Speciner. Network Security: PRIVATE Communication in a PUBLIC World.

2nd edition. Prentice Hall, page 237, 2002.

6

More on humans

“Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.”

-- former FBI Director Robert Mueller

7

And one more …

“I think privacy is actually overvalued … If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text. What’s the big deal?”

-- Judge Richard Posner U.S. Court of Appeals, 7th circuit

8

Better together

Examining security/privacy and usability together is often critical for achieving either

9

Borrowing from many disciplines

•  Psychology•  Sociology•  Ethnography•  Cognitive sciences•  Warning science•  Risk perception•  Behavioral economics

•  HCI•  Marketing•  Counterterrorism•  Communication•  Persuasive technology•  Learning science

Many disciplines have experience studying humans. Can we learn from their models and methods?

10

Why is security/privacy different?

•  Presence of an adversary

•  Security/privacy is a secondary task

•  Designing for humans is not enough!–  Support users who are predictable, stressed, careless,

unmotivated, busy, foolish–  Without compromising security and privacy

11

Bridging security and HCI

Security! Usability/HCI! Usable Security!Humans are a secondary constraint compared to security concerns

Humans are the primary constraint, security is rarely considered

Human factors and security are both primary constraints

Humans considered primarily in their role as adversaries/attackers

Concerned about human error but not human attackers

Concerned about both normal users and adversaries

Involves threat models Involves task models, mental models, cognitive models

Involves threat models AND task models, mental models, etc.

Focus on security metrics Focus on usability metrics Considers usability and security metrics together

User studies are rare User studies are common User studies common, often involve deception or distraction

12

Bridging security and HCI

Security! Usability/HCI! Usable Security!Humans are a secondary constraint compared to security concerns

Humans are the primary constraint, security is rarely considered

Human factors and security are both primary constraints

Humans considered primarily in their role as adversaries/attackers

Concerned about human error but not human attackers

Concerned about both normal users and adversaries

Involves threat models Involves task models, mental models, cognitive models

Involves threat models AND task models, mental models, etc.

Focus on security metrics Focus on usability metrics Considers usability and security metrics together

User studies are rare User studies are common User studies common, often involve deception or distraction

13

User-selected graphical passwords

Security! Usability/HCI! Usable Security!What is the space of possible passwords? How can we make the password space larger to make the password harder to guess? How are the stored passwords secured? Can an attacker gain knowledge by observing a user entering her password?

How difficult is it for a user to create, remember, and enter a graphical password? How long does it take? How hard is it for users to learn the system? Are users motivated to put in effort to create good passwords? Is the system accessible using a variety of devices, for users with disabilities?

All the security/privacy and usability HCI questions How do users select graphical passwords? How can we help them choose passwords harder for attackers to predict? As the password space increases, what are the impacts on usability factors and predictability of human selection?

14

User-selected graphical passwords

Security! Usability/HCI! Usable Security!What is the space of possible passwords? How can we make the password space larger to make the password harder to guess? How are the stored passwords secured? Can an attacker gain knowledge by observing a user entering her password?

How difficult is it for a user to create, remember, and enter a graphical password? How long does it take? How hard is it for users to learn the system? Are users motivated to put in effort to create good passwords? Is the system accessible using a variety of devices, for users with disabilities?

All the security/privacy and usability HCI questions How do users select graphical passwords? How can we help them choose passwords harder for attackers to predict? As the password space increases, what are the impacts on usability factors and predictability of human selection?

15

Course goals

•  Gain an appreciation for the importance of human factors to security and privacy

•  Learn about current and important research in the area

•  Learn how to conduct user studies targeting security and privacy issues

•  Gain tools for critically evaluating research you hear or read about

16

Course topics

•  Quick overviews of security and privacy

•  Intro to HCI methods and experimental design

–  How and when to use different qualitative and quantitative study designs

–  Ecological validity and ethics–  Overview of statistical analysis

•  Current/important research on topics of note

–  Passwords, web and mobile privacy, policies and notices, usable encryption, etc.

17

Topic: Passwords

•  Can people make passwords that are easy to remember, yet hard to crack?

Image from http://www.trypap.com

18

Topic: Graphical passwords

•  Humans have great visual memory… can this fact be leveraged for authentication?

Image from http://www.techradar.com

19

Topic: Biometrics

•  Characteristics of the human body can be used to identify or authenticate

–  How can this be done in a user-friendly way?

Image from http://www.economist.com

Image from http://www.sciencedaily.com

20

Topic: Secondary authentication

•  Favorite athlete?

•  Make of first car?

•  Where Barack Obama met his wife?

•  Jennifer Lawrence’s mother’s maiden name?

Image from http://www.wikipedia.org

21

Topic: Censorship, anonymity

•  How can we help people to remain anonymous on the Internet? (And should we?)

•  How can we help people to evade censorship? (And should we?)

Image from http://www.wikipedia.org

Image from http://www.jhalderm.com

22

Topic: Usable encryption

•  Why don’t people encrypt their email and files?

23

Topic: SSL and PKIs

•  Is there any hope for making certificates and SSL warnings usable?

•  Can we teach developers to use SSL correctly?

24

Topic: Security warnings

•  When do we really need them?

•  Can we make them more effective?

25

Topic: Privacy policies and notices

•  How do we communicate privacy-critical info?–  To busy users–  Despite information overload

Screenshot from http://www.tosdr.org

26 Image from http://www.about.com

Topic: Access control, policy configuration

•  Who should have access to your files, physical spaces, and online posts?

•  How can we make it easier for users to express and enforce their preferences?

27

Image from http://www.ftc.gov

Topic: Privacy and security at home

•  How does the increase in devices and sensors affect privacy dynamics within the home?

•  How can these sensors be usably secured?

Image from http://www.makezine.com

28

Topic: Browser privacy & security

•  What kind of tracking currently occurs, and what do average people think of it?

•  … And why has phishing been so effective?

29 Image from http://www.nokia.com Image from http://

www.arstechnica.com

Topic: HFPS for mobile

•  Do people understand where the information on their phone goes?

•  …And can someone please make app permissions usable?

30

Topic: Social networks and privacy

•  Can people want to share some things widely yet want other things to be private?

31

Topic: Safety-critical devices

•  Cars, medical devices, appliances are computers–  How do we help users protect their privacy and

maintain security while still reaping the benefits of these new technologies?

Image from http://www.motortrend.com

Image from http://www.allaboutsymbian.com

Image from http://www.hcwreview.com

32

Topic: Economics and behavior

•  Can we encourage (nudge) users to make better privacy and security decisions?

•  … And why do Nigerian scammers say they are from Nigeria?

33

Topic: Mental models, education

•  How do people think about privacy and security?

•  How can we educate them?

–  What should they know?

Image from http://www.quickmeme.com

34

Course website

•  https://sites.umiacs.umd.edu/mmazurek/courses/818d-s16/

•  Assignments posted and submitted via ELMS

•  Discussions: ELMS or Piazza?

35

Your grade

•  Project: 40%

•  Homework: 15%

•  Final exam: 15%

•  Class presentation: 10%

•  Reading reports: 10%

•  Class participation: 10%

36

Reading and reports

•  Usually 2 required readings per class–  Several additional optional readings–  Complete BEFORE class!

•  20 reports per student (10%)–  Brief summary (3-5 sentences) and comment for each

required reading, one optional reading–  Due at start of class

•  If you don’t do the reading, we can’t discuss

37

Class participation (10%)

•  Contribute to in-class discussions, activities–  Do the reading!–  Go to relevant seminars and tell us about them

•  Contribute to class discussion board–  ELMS or Piazza?–  Share interesting privacy/security news–  Ask questions and spark discussion–  Answer questions for other students

38

Class presentation (10%)

•  Lead class for 45+ min on assigned day–  Bid for preferred dates

•  DON’T: just present reading summaries

•  DO: required and optional reading

•  DO: demo, discussion, activity, additional sources, etc.

39

Homework (15%)

•  Exercise skills for designing/critiquing experiments and tools, analyzing data

–  Sketch a tool–  Evaluate a tool–  Conduct a mini user study–  Propose possible studies–  Analyze sample data–  Etc.

•  Five total

•  HW1 due next Tuesday Thursday

40

Final exam

•  Take-home, during the last week of class

•  Much like a longer homework

41

Project (40%)

•  Design, conduct, and analyze a user study related to security or privacy

–  Pitch projects in class–  Result in groups of 3-5

•  Deliverables: project proposal, IRB application, progress report, final paper and talk

–  Workshop-quality paper

•  Preferred goals: Submit a poster to SOUPS 2016, and/or a paper to NDSS 2017 or CHI 2017

42

Example projects (mostly CMU)

•  An inconvenient trust: User attitudes toward key-directory encryption systems (submitting to SOUPS 2016)

•  The post that wasn’t: Exploring self-censorship on Facebook (CSCW 2013)

•  Exploring reactive access control (CHI 2011)

•  How does your password meter measure up? The effect of strength meters on password creation (USENIX Sec 2012)

•  Passwords gone mobile (CHI 2016)

•  … and others!

43

Academic integrity

•  Homework assignments and exam are INDIVIDUAL unless otherwise noted

–  Don’t look at other students’ assignments

•  Zero-tolerance policy for plagiarism–  Includes reading reports!–  Even one sentence is too much. Rewrite in your words.–  When in doubt, ASK BEFORE YOU SUBMIT

•  Review university policies as needed

44

Other miscellaneous

•  I expect you in class–  Foreseeable family obligations, holidays, conferences,

etc: send me email in the next week–  Unforeseeable: let me know

•  Consider joining:–  MC2-discuss@umiacs–  MC2-announce@umiacs–  hcil@cs

45

The human threat

•  Malicious humans

•  Humans who don’t know what to do

•  Unmotivated humans

•  Humans with human limitations

46

Key challenges

•  Security is a secondary task–  Users are trying to get something else done

•  Security concepts are hard

–  Viruses, certificates, SSL, encryption, phishing

•  Human capabilities are limited

47

Are you capable of remembering a unique strong password for every account you have?

48

Key challenges

•  Security is a secondary task

•  Security concepts are hard

•  Human capabilities are limited

•  Habituation

–  The “crying wolf” problem

•  Misaligned priorities

49

Security

Expert User

Keep the bad guys out

Don’t lock me out!

50

Key challenges

•  Security is a secondary task

•  Security concepts are hard

•  Human capabilities are limited

•  Habituation

•  Misaligned priorities

•  Active adversaries–  Unlike ordinary UX

51

52

GREY AND USER BUY-IN Case study #1:

53

Grey: Smartphone-enabled doors

•  Access control system for doors in the CMU CyLab offices

•  Based on formal proofs of access–  Allows users to grant access to others

remotely

•  Year-long interview study

–  29 users x 12 accesses per week

L. Bauer, L.F. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. A User Study of Policy Creation in a Flexible Access-Control System. CHI 2008.

L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons Learned from the Deployment of a Smartphone-Based Access-Control System. SOUPS 2007.

54

Users complained about speed

•  Videotaped a door to understand how Grey is different from keys

55

Average access times

Getting keys

3.6 sec 5.4 sec

Stop in front of door

Door opened

Total 14.7 sec σ = 3.1 σ = 3.1

5.7 sec σ = 3.6

σ = 5.6 Door Closed

Door Closed

8.4 sec 2.9 sec 3.8 sec

Stop in front of door

Getting phone

Door opened

Total 15.1 sec σ = 2.8 σ = 1.5 σ = 1.1

σ = 3.9

Grey is not noticeably slower than keys!

56

“I find myself standing outside and everybody inside is looking at me standing outside while I am trying to futz with my phone and open the stupid door.”

Takeaway: Misaligned priorities

57

PASSWORD EXPIRATION AND USER BEHAVIOR

Case Study #2

58

Does password expiration improve security in practice? •  Observation

–  Users often respond to password expiration by transforming their previous passwords in small ways [Adams & Sasse 99 … we’ll talk about this later]

•  Conjecture–  Attackers can exploit the similarity of passwords in the

same account to predict the future password based on the old ones

[Zhang et. al, CCS 2010]

59

Empirical analysis

•  UNC “Onyen” logins–  Broadly used by campus and hospital personnel–  Password change required every 3 months –  No repetition within 1 year

•  51141 unsalted hashes, 10374 defunct accounts–  4 to 15 hashes per account in temporal order

•  Cracked ~8k accounts, 8 months, standard tools

•  Experimental set: 7752 accounts–  At least one cracked password, NOT the last one

60

Transform Trees

s→$ p→P

s→$ p→P s→$ p→

P

“password”

“pa$sword”? “Password”?

“pa$$word”? “Pa$sword”? “Pa$sword”? ┴

•  Approximation algorithm for optimal tree searching

61

Location Independent Transforms

CATEGORY EXAMPLE

Capitalization tarheels#1 → tArheels#1 Deletion tarheels#1 → tarheels1

Duplication tarheels#1 → tarheels#11 Substitution tarheels#1 → tarheels#2

Insertion tarheels#1 → tarheels#12 Leet Transform tarheels#1 → t@rheels#1

Block Move tarheels#1 → #tarheels1 Keyboard Transform tarheels#1 → tarheels#!

62

Evaluation

•  Pick a known plaintext, non-last password (OLD)

•  Pick any later password (NEW)

•  Attempt to crack NEW with transform tree rooted at OLD

63

Results: Offline Attack

depth 1

depth 2 depth 3

depth 4

0%

10%

20%

30%

40%

50%

Edit Dist Edit w/ Mov Loc Ind

Pruned

26% 28% 25%

17%

39% 41% 37%

24%

41%

28% 30%

Succ

ess

rate

Within 3 Seconds !!

Takeaways: Memory limitations matter Convenience always wins

64

Understanding the human

•  Who wants to practice good security but doesn’t know how

•  Who is indifferent to security but will comply–  If it’s easy–  If it’s the default–  If it doesn’t interfere with the primary task

65

Human-in-the-loop framework

•  Based on Communication-Human Information Processing Model (C-HIP) from Warnings Science

•  Models human interaction with secure systems

•  Can help identify (non-malicious) human threats

L. Cranor. A Framework for Reasoning About the Human In the Loop. Usability, Psychology and Security 2008. http://www.usenix.org/events/upsec08/tech/full_papers/cranor/cranor.pdf

66

Human-in-the-loop framework Human Receiver

Intentions

Motivation

Attitudes and Beliefs

Personal Variables

Knowledge & Experience

Demographics and Personal

Characteristics

Capabilities

Communication

Behavior

Communication Impediments

Interference

Environmental Stimuli

Com

mun

icat

ion

Proc

essi

ng

Comprehension

Knowledge Acquisition

App

licat

ion Knowledge

Retention

Knowledge Transfer

Com

mun

icat

ion

Del

iver

y

Attention Switch

Attention Maintenance

Communication

Communication Impediments

Interference

Environmental Stimuli

Human Receiver

Intentions

Motivation

Attitudes and Beliefs

Personal Variables

Knowledge & Experience

Demographics and Personal

Characteristics

Capabilities

Com

mun

icat

ion

Proc

essi

ng

Comprehension

Knowledge Acquisition

App

licat

ion Knowledge

Retention

Knowledge Transfer

Com

mun

icat

ion

Del

iver

y

Attention Switch

Attention Maintenance

Behavior

67

Human threat identification and mitigation process

Task Identification

Task Automation

Failure Mitigation

User Studies

Failure Identification

Human-in- the-loop

Framework

User Studies

Identify points where system relies on humans to perform security-critical functions

Find ways to partially or fully automate some of these tasks

Identify potential failure modes for remaining tasks

Find ways to prevent these failures

68

Human-in-the-loop framework Human Receiver

Intentions

Motivation

Attitudes and Beliefs

Personal Variables

Knowledge & Experience

Demographics and Personal

Characteristics

Capabilities

Communication

Behavior

Communication Impediments

Interference

Environmental Stimuli

Com

mun

icat

ion

Proc

essi

ng

Comprehension

Knowledge Acquisition

App

licat

ion Knowledge

Retention

Knowledge Transfer

Com

mun

icat

ion

Del

iver

y

Attention Switch

Attention Maintenance

Comprehension

69

70

Internet Explorer cookie flag

71

Human threat identification and mitigation process

Task Identification

Task Automation

Failure Mitigation

User Studies

Failure Identification

Human-in- the-loop

Framework

User Studies

Identify points where system relies on humans to perform security-critical functions

Find ways to partially or fully automate some of these tasks

Identify potential failure modes for remaining tasks

Find ways to prevent these failures

72

73

74

Users are not the enemy

•  Adams and Sasse, CACM 1999

•  “These observations cannot be disputed, but the conclusion that this behavior occurs because users are inherently careless — and therefore insecure — needs to be challenged.”

•  Study methods: –  Online survey, primarily from organization A–  Interviews at organizations A and B–  Grounded theory

75

Results (Highlights)

•  Circumventing rules to get work done–  Shared passwords, predictable choices

•  Multiple passwords lead to problems

•  Limited knowledge of what pwds are secure–  Limited knowledge of threats

76

Discussion questions

•  This paper is “classic” (from 1999). What do you think might be different today? What questions would you add or change?

•  Are these participants representative (of what)?

–  What other groups could you ask? How might the results be different?

77

Discussion questions

•  “Users identified certain systems as worthy of secure password practices, while others were perceived as ‘not important enough.’”–  How do you motivate users?–  How do you treat users as partners?–  What about when this behavior is rational/correct?

•  List of proposed solutions–  Do you think these would work? Why / why not?–  Other suggestions?

78

(One) Hierarchy of solutions

•  Make it “just work”–  Invisible security

•  Make security/privacy understandable–  Make it visible–  Make it intuitive–  Use metaphors that

users can relate to

•  Train the user

79

Automation considered harmful?

Problems:

•  Insufficient flexibility

•  Imposition of values

•  Impact on user experience

–  Especially in failure cases

•  Examples from your home domain?

80

Considerations for automating

•  Accuracy

•  Stakeholder values

•  Information overload?

•  Implicit instead?

•  Keep human informed?

•  Fail gracefully?

•  Do you agree with all of these?

•  Are there others we should add?

81

Suggested research directions

Suggested directions:

•  Exposing system behavior

•  Causality and contextualization–  Identify root causes–  Moving system -> application

•  Social identity and decisionmaking

–  People rather than devices–  Multiple, flexible social identities

82

Discussion questions

•  This one is from 2007. How do you think these issues have evolved in the meantime?

•  Problems/solutions in your home domain–  How do they fit into this framework?

•  Problems/challenges in the suggested directions?